PA-DSS Aspirations

I'm sure by now you've heard plenty about the industry's movement towards PCI compliance and stamping all programs that touch credit cards with the PA-DSS certification, and not enough about Blackbaud's progress with Patron Edge. Here is a quick breakdown about some of the features and enhancements we have made in Patron Edge 3.340, and changes that we are continuing to work on as we work to get the PA-DSS stamp put on Patron Edge:

• As of version 3.340, credit card information is now encrypted with an administrator-defined encryption key as transactions are queued to be cleared.
• As soon as a transaction clears, every reference to a credit card number is permanently truncated.  The last four digits of the card number are the only data retained.
• Any reports that display transaction data will only show the final four digits of a credit card or less, depending on user security.
• Credit card transaction log files (Tix_PSC logs) no longer store credit card details beyond the last four digits of the card number.
• Password rules, such as password length, rotation, and account lockouts, will go into effect for all user accounts.
• Audit trails will be implemented for all system components in order to be able to recreate system events.
• The installation package will be digitally signed to ensure file integrity and prevent any kind of tampering.

The audit of Patron Edge is being performed by a company called Trustwave, who we are using to audit all of our products in addition to our Hosting environment. Be assured that Patron Edge will be PA-DSS certified, but in the meantime there are more changes in the pipeline that are required to meet this changing standard. Have a question? Leave a note in the comments.